Sometimes you'll encounter an error message when trying to tunnel to a certain hutch machine using SSH. The following error message is displayed after your tunneled connection is refused:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
This is one of the simple ways to get rid of the problem if the host key has changed (as mentioned in the bottom line of the error message; very very common).
Step-by-step guide
Before you start, note which machine and username you were using when you encountered the issue, and also note the machine to which you were trying to tunnel. (Note that if you see this problem when trying to use VNC to view a remote Windows laptop or oscilloscope (etc.), the VNC runs on mec-daq
, so the error comes from trying to tunnel to mec-daq
.)
- Open a new terminal and log in using the particular username and machine from which you encountered the issue described above. For example, if you saw this error when you were trying to tunnel as
efcunn
frommec-laser
tomec-hutch02
, then you would log in as efcunn onmec-laser
. - Type
cd ~/.ssh
- In this directory (check its contents by typing
ls
as I've shown above) is a file calledknown_hosts
. Inside this file, there are many lines of authentication gibberish for each machine to which you've tunneled previously. The problem above arises when something about the machine/connection changes so that the authentication gibberish doesn't match anymore. The error is thrown because this authentication mismatch could be symptomatic of a "man-in-the-middle" attack where someone pretends to be the machine you're trying to access for the purposes of eavesdropping on your communication.... or something like that (full disclaimer: I'm just a laser guy).
- In this directory (check its contents by typing
- Open the file
known_hosts
using your favorite text editor – vim, emacs, gedit, etc. For example, this can be done by typinggedit known_hosts &
- Locate the line of the file that contains the name of the machine to which you are unable to tunnel. For example, if you had seen the error when trying to tunnel to
mec-hutch02
, then you would look formec-hutch02
. (Note again, if you has seen this error while trying to use VNC, then you would look formec-daq
(as of January 2022).) - Delete the entire row (depending on the size of your window, it might wrap around to the next row on your screen, so you'd look for the next line that contains a new name of a computer or new IP address to tell that a new line was starting) so that there is no more entry in the file containing the name of the unreachable computer. Be sure to save the file and exit the program after that.
- Having exited the text editor, return to the command terminal and try again to tunnel to the machine of interest. If you've had any luck, the terminal should tell you that it's adding the machine as a new "known host" and then it should complete your tunneling connection – problem solved! If this doesn't work, please seek professional assistance
Related articles